Preventive controls are security measures designed to stop an incident before it occurs. Examples include firewalls, access restrictions, encryption, and security training. In the ISO 27001 taxonomy, a control’s purpose is categorized as preventive, detective, or corrective. Preventive controls are generally the most cost-effective since they avoid damage entirely. However, no security concept can rely on prevention alone, which is why you always complement preventive measures with detective (detection) and corrective (recovery) controls.